I’ve noticed, as have many others, an influx of text message spam over the past few months. At least once per day, it seems, I get something from a number not familiar to me offering some sort of reward if I just click the link included in the text. And, according to Christopher Mims of the MIT Technology Review, this sort of text message spam may be a device to give spammers access to your gmail account rather than anything on your phone, surprisingly.
Recently, my wife and I both received, within an hour of one another, a text like this: “Your entry last month has WON! Goto https://xxxxxx enter your Winning Code: “1122” to claim your FREE $1,000 Best Buy Giftcard!”
Our phone numbers are almost identical, so the fact that we both got this text in a short period of time suggests that someone is auto-SMSing it to every number in a certain range, one after another. Which would make it classic text spam, annoying but not dangerous on its own.
The URL contained in the text goes to this website, https://bestbuy.bestgiftcardsforu.com/ which asks for your email address. The site appears to be affiliated with (or at least is linking to and borrows text from) MyRewardsClub.com. I don’t think these people are hackers, just marketers.
But here’s how hackers could turn this marketing scheme into a password-harvesting scheme: After users enter their email address, if it’s a gmail address, hackers could automatically request that Google send an account verification code to the cell phone of the owner of that Gmail address. This is what Google does when you tell it that you forgot your password — one of the three options for recovering it is to have a verification code sent to the cell phone number associated with your account.
In order for the user to claim their “reward” (in this case, a fake $1000 gift card) the site could then direct them to enter the verification code that Google sent to the user’s phone. As soon as the site has both a user’s Gmail address and that verification code, it’s game over — hackers can use the code to log into that account and immediately change the password, giving them access and locking the user out of their own account.
This just confirms to me that I could never be a professional spammer — this sounds like way too much work, not to mention being complex, just to get access to an email account for the purposes of spamming someone’s address book. My penchant for laziness sort of prohibits me from going to such lengths.
Also, are people really that stupid that they fall for this sort of thing in large numbers? Actually, nevermind — don’t answer that.
(Image via Shutterstock)